Myanmar: Draft Cyber Security Law and Other Threats to Fundamental Freedoms

On February 1, 2021, the Myanmar military (Tatmadaw) staged a coup, overthrowing the National League for Democracy (NLD) government, elected overwhelmingly by Myanmar citizens in the November 2020 elections. Claiming electoral fraud, the military declared a year-long state of emergency, transferred power to commander-in-chief Min Aung Hlaing, and replaced elected officials with military personnel.

Malaysia protest (photo credit: Wiki Commons)

In the wake of the coup, the Tatmadaw has detained and arrested more than 200 NLD members, human rights defenders, teachers, monks, artists, journalists, and protesters. Security forces have responded to peaceful public protests and civil disobedience campaigns by banning rallies and gatherings of more than 5 people and imposing an 8 p.m. to 4 a.m. curfew in Yangon and Mandalay. They have also subjected protesters to water cannons, tear gas, rubber-coated bullets, and live ammunition. Such tactics violate international law on freedom of peaceful assembly.

Moreover, the Tatmadaw has shut down the Internet, interrupted telecommunications systems, and banned social media, which has restricted the freedom of expression and right to information of the Myanmar people. These measures are particularly concerning in light of the ongoing COVID-19 pandemic, where transparency and communication are critical.

Just over a week after the coup, the Tatmadaw released a draft Cyber Security Law. In addition to questions around the legitimacy of “law-making” by the entity responsible for the coup, numerous provisions of the draft law would certainly violate international human rights law. If enforced, this law would provide yet another means to restrict the freedom of expression and repress the voices of individuals and civil society in Myanmar. Some of the most concerning points are as follows.


  • Unlawful restrictions to the freedom of expression. The Law criminalizes online content deemed to be “misinformation” or “disinformation.” Under Article 64, any person found guilty of “creating misinformation and disinformation with the intent of causing public panic, loss of trust or social division” online can be imprisoned for up to 3 years. Article 29 requires Internet Service Providers (ISPs), at the military’s request, to prevent, remove, and destroy all “misinformation and disinformation.” It further empowers the removal of any “written and verbal statement against any existing law,” and all “speech, texts, images, videos, audio files, signs or other types of expression” that cause “hate, disrupt unity, stabilization, [or] peace.” These types of broad, overly vague, and arbitrary restrictions to online speech violate international law and would establish the Tatmadaw as the sole arbiter of truth and information in Myanmar.
  • Criminalization of anonymity. The Law seeks to prevent individuals from using the internet anonymously by requiring individuals to use their real names to access the internet. Specifically, Article 65 criminalizes the creation of “fake” online accounts “with the intent of causing public panic, loss of trust or social division.” Anonymity, including the right to use pseudonyms/aliases, has been recognized as an important component of safeguarding free expression, privacy, political accountability, and public participation. As such, Article 65 does not comply with international law.
  • Expansion of Internet shutdowns. The Law, in Article 51, provides the Tatmadaw full discretion to temporarily or permanently ban all online services. In so doing, the Law attempts to legitimize Internet shutdowns and telecommunications interruptions. Under international law, however, such expansive network disruptions are nearly always illegal.
  • Privacy concerns around personal data. Article 15 of the Law seemingly allows the Tatmadaw to collect and retain almost any personal information of individuals as long as it concerns “state sovereignty, stability, [and] national security.” Moreover, ISPs are required under Article 30 to retain personal identifying information of their users for three years and turn over this information to the military upon request. Article 28 further requires ISPs to store user information at a place of the military’s choosing. International human rights law makes clear that the collection and retention of personal data, especially data related to electronic communications, constitute an interference with the right to privacy.

In addition to these points, the Law has a potentially wide, extraterritorial reach, applying to “offences committed locally and internationally” (Article 2), and such broad-ranging definitions of “critical information infrastructure” that virtually all government communications would fall under its ambit (Article 16). It also allows for those accused of vague cybercrime acts (such as “preventing access to a cyber source…with an intent to disturb…national solidarity”) to be charged under counterterrorism laws (Articles 70-71), and provides no right of appeal for anyone charged criminally under the act (appeal provisions are only provided for licensing concerns, Chapter 16).

This Law, if implemented, would give rise to numerous violations of international law and further restrict civic space in Myanmar, limiting economic development and opportunities for international engagement. ICNL is deeply concerned that the Law’s overbroad, vague provisions could be wielded to criminalize the legitimate online expression of civil society actors. To protect the freedoms of association, assembly, and expression in furtherance of the welfare of the Myanmar people, the Tatmadaw must withdraw the draft Cyber Security Law and fully restore telecommunication services and access to the internet.

For more information, please contact